Pierluigi Paganini
June 12, 2026
On June 11, 2026, the Iran-linked threat group Handala posted a claim on its blog that it had compromised California Water Service, known as Cal Water, and published a 5GB proof-of-concept data dump to back it up.
California Water Service is one of the largest investor-owned water utilities in the United States. It is a subsidiary of California Water Service Group and provides drinking water and wastewater services to residential, commercial, and industrial customers. The company serves hundreds of thousands of customer connections across numerous communities in California, as well as smaller operations in other states through affiliated utilities.
The group said the intrusion was retaliation for recent US actions in Iran, and claimed it had the ability to disrupt water access but chose not to. For now.
Cybersecurity firm Dataminr’s analysis of the published dump identified two separate systems that Handala reached. The first is a customer billing database containing names, service addresses, phone numbers, account numbers, and payment histories across multiple Cal Water districts. The second is an internal RTKBase deployment, an open-source GNSS base station platform used by field crews to receive centimeter-accurate GPS corrections when mapping and maintaining water infrastructure.
“Dataminr analysis of the published PoC indicates Handala accessed two separate Cal Water systems: a customer billing database containing PII for accounts across multiple districts, and an internal RTKBase NTRIP caster network used for precision GPS operations across field crews.” reads the Dataminr’s report. “The RTKBase instance had been operational for approximately 783 continuous hours at time of access, with GPS correction data streamed across all seven identified district mountpoints.”
Handala’s public release exposed NTRIP network infrastructure linked to at least seven California Water Service operational districts, including Bakersfield, Chico, Salinas, Stockton, Visalia, San Mateo, and a regional engineering segment.
However the researchers pointed out that the RTKBase wasn’t the end goal. It was the entry point.
“The billing system and RTKBase platform represent distinct infrastructure. The RTKBase network is assessed as a probable initial access vector or lateral pivot point that enabled the actor to reach the billing environment.” continues the report.
Cal Water used RTKBase, an open-source GNSS base station application often deployed on lightweight hardware like a Raspberry Pi. Its web-based management interface was accessible via standard HTTP port 10000 across multiple district mountpoints.
For this reasing it is easy to find, easy to access, useful as a stepping stone.
The dump is comprehensive enough to treat everything in it as fully compromised. Administrative credentials for the RTKBase platform and a mountpoint-level NTRIP source password are published in plaintext. The IP block supporting Cal Water’s NTRIP network across all seven districts is fully enumerated.
Dataminr researchers recommend rotating all exposed credentials immediately, taking RTKBase instances offline for audit, and reviewing network segmentation between the GPS infrastructure network and the billing environment. Those two systems should never have been able to reach each other.
The OT question is the one that should be keeping water utility security teams awake. No disruption to water treatment processes, SCADA systems, or chemical dosing has been confirmed in this incident.
The experts warn of Handala’s destructive capabilities, including custom wipers and MBR-overwriting tools, and has previously escalated from data theft to system destruction in other attacks.
“While OT/ICS disruption is not confirmed in this incident, Handala’s deployed toolkit includes custom wipers (win.handala, Handala Wiper, Hamsa Wiper) and MBR-overwriting capabilities.” states the report. “The group has demonstrated willingness to escalate from data theft to destructive operations within the same campaign cycle, as evidenced by the Stryker incident.”
Handala appears as a pro-Palestinian hacktivist group but is widely seen as a front for Iran-backed Void Manticore, as reported by SecurityWeek. Known for phishing, data theft, extortion, and destructive wiper attacks, they also engage in info operations and psychological warfare. Since the Iran conflict began, they’ve targeted Israeli military servers, intelligence officers, and companies, stealing or wiping data.
The group has been active since at least December 2023 and has escalated US-targeted operations significantly since February 2026, when US-Iran military engagement intensified. Water infrastructure fits the group’s stated doctrine of targeting “life-sustaining” systems for maximum societal and psychological impact. CISA issued a specific advisory this year warning of Iranian targeting of US water sector technologies. This is that advisory materializing.
In March 2026, Handala deployed a wiper against Stryker that disrupted manufacturing and shipping. Data theft first, destruction later is a documented pattern, not speculation.
Cal Water has not publicly acknowledged the breach. Affected customers face elevated phishing risk given that names, addresses, phone numbers, and account details are now publicly available. Utilities in the water sector running RTKBase or similar NTRIP caster software should verify immediately that their admin panels are not internet-exposed and are behind network-layer controls rather than just application credentials.
“Handala’s operational pattern frequently involves an initial claim followed by escalated action.” concludes the report. “Security teams should treat the current disclosure as a possible precursor to a destructive follow-on and posture accordingly.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, newsletter)
